on
Security is complicated! Or is it actually?
I wrote this post originally for the 56K.Cloud Blog. You can find the original blog here.
Yeah, that’s a catchy title, I know. For sure, security is important and complicated. But there are ways to make it easier to apply with less pain. In the last months, I helped a customer to set up and automate CIS compliant infrastructure on AWS. Eliminating much of the manual work and complexity involved with CIS compliance.
I come, like most of you, from a world where you learned so many times how painful security can be. So I had my reservations when I started working on this project. But I had high hopes, as I know the possibilities and strengths of AWS and the concept of Infrastructure as Code (IaC). Luckily, I was right. During this project, we deployed a CIS-compliant infrastructure providing the customer with service modules special to their security requirements.
How did we do it?
We had to deal with three main technologies: AWS as the cloud provider. For the Infrastructure as Code (IaC) solution, we used Gruntwork. And to automate the tasks, we used GitHub Actions (CI/CD).
AWS (Amazon Web Services)
The applications use various services like
- Amazon Elastic Kubernetes Service (Amazon EKS)
- Amazon Relational Database Service (Amazon RDS) with different engines
- Amazon S3
- Amazon CloudFront
- … and many more.
From a security point of view, it is a complicated task to configure all these services in a compliant way. Especially, if you have multiple instances of the same service and deploy them across different environments (dev, stage, production, …).
Gruntwork Service Catalog
Configuring all these services mentioned above manually is already a complicated task. Even without conforming to a certain regulation or meeting a security benchmark. Luckily, clever people came up with the concept of Infrastructure as Code (IaC). Gruntwork is using this concept and provides reusable terraform modules. The AWS Infrastructure as Code Library provides reusable, battle-tested, production-ready configurations for a lot of AWS services. Each customer can take these modules as is, or extend them to their specific requirements.
On top of that, Gruntwork provides special modules that meet certain security standards. We used the service catalog CIS AWS Foundations Benchmark in this project. This catalog contains modules that are pre-configured to meet these special security requirements. A lot of companies have extra security requirements. This customer was no exception. So, we adapted some modules to meet these requirements. The coordination between the DevOps Team and the security team resulted in using an unmodified service catalog and company-specific modules.
GitHub Actions
One task is to ensure that the configuration of the services is as needed. The other is to ensure that the configuration doesn’t get changed. This is especially important if you want to comply with a security benchmark. In this project, we used GitHub Actions to solve the second task.
As the term Infrastructure as Code says, it’s a way to use code to define
infrastructure. So, the first thing is to use git repositories for the modules.
In this project, all the modules live in git repositories on GitHub. Some in the
Gruntwork Organization and some in the customers GitHub Organization. This
allowed us to use GitHub Actions for the
automation. Here we run terraform plan
and terraform apply
. The first
command evaluates the specified changes to the infrastructure. And the second
command executes the changes. This allows having a single way to change the
infrastructure. And, the apply
also reverts changes to the infrastructure that
doesn’t match the code.
Is this a perfect solution? Most likely not, but it’s a huge improvement over a manual configuration. Also, it allows the code to grow. Whenever a new application gets deployed, one can reuse the previous work. And deploy a secured version from the beginning and not add security at the end.
More information
For more information about the topic, you can head over to the following links: